test/gitea-mirror
1
0
Fork 0
mirror of https://gitea.com/gitea/gitea-mirror.git synced 2026-03-20 03:40:27 +00:00
Code Issues Packages Projects Releases Wiki Activity

Make container registry support Apple Container (basic auth) (#36920)

Browse Source 
Fix #36907
This commit is contained in:
wxiaoguang
2026-03-19 07:43:44 +08:00
committed by GitHub
parent 18c65965ab
commit 00060ff73c
3 changed files with 28 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
routers/api/packages/api.go
View File

@@ -88,7 +88,11 @@ func reqPackageAccess(accessMode perm.AccessMode) func(ctx *context.Context) {
} }
} }
func verifyAuth(r *web.Router, authMethods []auth.Method) { type verifyAuthOptions struct {
afterAuthCallback func(ctx *context.Context, err error)
}
func verifyAuth(r *web.Router, authMethods []auth.Method, opts verifyAuthOptions) {
if setting.Service.EnableReverseProxyAuth { if setting.Service.EnableReverseProxyAuth {
authMethods = append(authMethods, &auth.ReverseProxy{}) authMethods = append(authMethods, &auth.ReverseProxy{})
} }
@@ -97,12 +101,13 @@ func verifyAuth(r *web.Router, authMethods []auth.Method) {
r.AfterRouting(func(ctx *context.Context) { r.AfterRouting(func(ctx *context.Context) {
var err error var err error
ctx.Doer, err = authGroup.Verify(ctx.Req, ctx.Resp, ctx, ctx.Session) ctx.Doer, err = authGroup.Verify(ctx.Req, ctx.Resp, ctx, ctx.Session)
if err != nil { ctx.IsSigned = ctx.Doer != nil
if opts.afterAuthCallback != nil {
opts.afterAuthCallback(ctx, err)
} else if err != nil {
log.Error("Failed to verify user: %v", err) log.Error("Failed to verify user: %v", err)
ctx.HTTPError(http.StatusUnauthorized, "Failed to authenticate user") ctx.HTTPError(http.StatusUnauthorized, "Failed to authenticate user")
return
} }
ctx.IsSigned = ctx.Doer != nil
}) })
} }
@@ -119,7 +124,7 @@ func CommonRoutes() *web.Router {
&nuget.Auth{}, &nuget.Auth{},
&Auth{}, &Auth{},
&chef.Auth{}, &chef.Auth{},
}) }, verifyAuthOptions{})
r.Group("/{username}", func() { r.Group("/{username}", func() {
r.Group("/alpine", func() { r.Group("/alpine", func() {
@@ -537,8 +542,15 @@ func ContainerRoutes() *web.Router {
verifyAuth(r, []auth.Method{ verifyAuth(r, []auth.Method{
&auth.Basic{}, &auth.Basic{},
// container auth requires an token, so container.Authenticate issues a Ghost user token for anonymous access // container auth requires token, so container.Authenticate issues a Ghost user token for anonymous access
&Auth{AllowGhostUser: true}, &Auth{AllowGhostUser: true},
}, verifyAuthOptions{
afterAuthCallback: func(ctx *context.Context, err error) {
if err != nil {
log.Error("Failed to verify container user: %v", err)
container.APIUnauthorizedError(ctx)
}
},
}) })
// TODO: Content Discovery / References (not implemented yet) // TODO: Content Discovery / References (not implemented yet)

10
routers/api/packages/container/container.go
View File

@@ -120,17 +120,19 @@ func apiErrorDefined(ctx *context.Context, err *namedError) {
}) })
} }
func apiUnauthorizedError(ctx *context.Context) { func APIUnauthorizedError(ctx *context.Context) {
// container registry requires that the "/v2" must be in the root, so the sub-path in AppURL should be removed // container registry requires that the "/v2" must be in the root, so the sub-path in AppURL should be removed
realmURL := httplib.GuessCurrentHostURL(ctx) + "/v2/token" realmURL := httplib.GuessCurrentHostURL(ctx) + "/v2/token"
ctx.Resp.Header().Add("WWW-Authenticate", `Bearer realm="`+realmURL+`",service="container_registry",scope="*"`) ctx.Resp.Header().Add("WWW-Authenticate", `Bearer realm="`+realmURL+`",service="container_registry",scope="*"`)
// support apple container like: container registry login <gitea-host> -u
ctx.Resp.Header().Add("WWW-Authenticate", `Basic realm="Gitea Container Registry"`)
apiErrorDefined(ctx, errUnauthorized) apiErrorDefined(ctx, errUnauthorized)
} }
// ReqContainerAccess is a middleware which checks the current user valid (real user or ghost if anonymous access is enabled) // ReqContainerAccess is a middleware which checks the current user valid (real user or ghost if anonymous access is enabled)
func ReqContainerAccess(ctx *context.Context) { func ReqContainerAccess(ctx *context.Context) {
if ctx.Doer == nil || (setting.Service.RequireSignInViewStrict && ctx.Doer.IsGhost()) { if ctx.Doer == nil || (setting.Service.RequireSignInViewStrict && ctx.Doer.IsGhost()) {
apiUnauthorizedError(ctx) APIUnauthorizedError(ctx)
} }
} }
@@ -156,7 +158,7 @@ func Authenticate(ctx *context.Context) {
packageScope := auth_service.GetAccessScope(ctx.Data) packageScope := auth_service.GetAccessScope(ctx.Data)
if u == nil { if u == nil {
if setting.Service.RequireSignInViewStrict { if setting.Service.RequireSignInViewStrict {
apiUnauthorizedError(ctx) APIUnauthorizedError(ctx)
return return
} }
@@ -170,7 +172,7 @@ func Authenticate(ctx *context.Context) {
if err != nil { if err != nil {
log.Error("Error checking access scope: %v", err) log.Error("Error checking access scope: %v", err)
} }
apiUnauthorizedError(ctx) APIUnauthorizedError(ctx)
return return
} }
} }

5
tests/integration/api_packages_container_test.go
View File

@@ -88,7 +88,10 @@ func TestPackageContainer(t *testing.T) {
Token string `json:"token"` Token string `json:"token"`
} }
defaultAuthenticateValues := []string{`Bearer realm="` + setting.AppURL + `v2/token",service="container_registry",scope="*"`} defaultAuthenticateValues := []string{
`Bearer realm="` + setting.AppURL + `v2/token",service="container_registry",scope="*"`,
`Basic realm="Gitea Container Registry"`,
}
t.Run("Anonymous", func(t *testing.T) { t.Run("Anonymous", func(t *testing.T) {
defer tests.PrintCurrentTest(t)() defer tests.PrintCurrentTest(t)()